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Note to the Reader 


Chapter I provides the necessary background to the 
results which this thesis extends. The reader who is already 
familiar with Cook [5] will find very little new information 
here. 

Chapter II motivates the modifications which are suf¬ 
ficient for the complete extension of the axiomatic system to 
recursive programs. 

Chapter III presents the proofs of certain lemmas and 
culminates in the completeness proof for the extended system. 

Notation We use Burstall's "cases" notation, where 
f(a) = 
cases a 


indicates that f(a) is defined as when a is 

'Cl (a)' indicates the universal closure of a, 
wff of some predicate calculus. 


of form 
where a is 


etc. 

a 
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Introduction 

We write programs but we are not certain that they do 
precisely what we intend them to do. We use these programs, 
and we sometimes discover that, in spite of a convincing 
performance on trial data sets, a particular program is not 
entirely "correct": it ends abnormally under some conditions, 
or it occasionally fails to accomplish what it was devised to 
accomplish. This disparity between the algorithm that the 
programmer thinks he has designed and what actually occurs 
during the execution of his program is a prime motivation for 
the development of techniques which allow one to prove 
programs are correct. 

The way to prove that a program is correct is to make 
assertions about what it is doing, and prove that the 
assertions are in some sense true about the program. The 
kinds of assertions we allow and which ones we take as true 
will depend on our assignment of semantics to the program. 

The formal deductive theory that is treated in this 
thesis is based on one proposed by C.A.R. Hoare ([1], [2]), 
which he derives from work by R.W. Floyd ([3]), for proving 
the correctness of programs written in a fragment of Algol 60. 
The definition of semantics of this fragment is a modification 
of the interpretive model in Lauer [4], as presented in Cook 
[5]. There are many other approaches to the definition of 
formal theories and semantics of programs. Among these are 
the functional approach due to J. McCarthy, D. Scott and 
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others, R. Burstall's first order logic approach, and the 
algebraic theory due to S. Igarashi and J.W. de Bakker, as 
well as other proposals using the interpretive model's cons¬ 
tructive approach, differing only in the degree to which it 
is "machine-oriented". These various directions of research 
have been discussed and compared in Lauer [4] and Hoare and 
Lauer [6]. 

Once we have an interpretive model and a deductive 
theory for a particular programming language, it is natural 
to inquire into their relationship. In particular, we are 
interested in knowing that each program that is correct 
according to our semantics is provable in our deductive 
theory, and no incorrect program is provable. These ques¬ 
tions of completeness and soundness have been investigated by 
S ‘ A • Cook ([5]). The Algol fragment that Cook considers is 
simple but realistically usable. Notably lacking are state¬ 
ment labels and jumps, functions, data structures and 
recursive procedures. Statement labels, jumps and functions 
are considered by M. Clint and Hoare ([8]). Work on correct¬ 
ness and data structures has been done by Hoare ([9]) and, 
more recently, by Cook and D. Oppen ([10], [11]). This 
thesis addresses the problems involved in extending Cook's 
work on completeness to an augmented language which includes 
a rather general capacity for recursion. 
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Chapter J 

1 he Algol 60 fragment AlfL^,!^] consists of variable 
and procedure declarations, and assignment, conditional, 
while, compound and block statements as in Algol 60, where L ] 
is the predicate calculus which supplies the language's 
variables and expressions, and is its extension into a 
language used for assertions. has a distinguished constant 

symbol, e^, which will stand for the value to which all new 
variables will be initialized. Procedures are allowed, with 
restrictions on parameters as follows. 

In procedure declarations 

<procedure name> proc (x:v) <procedure body>, 

where '(x:v)' indicates the formal parameters, x and v are 
disjoint lists of distinct variables and no variable in v may 
occui to the left of any assignment statement. In procedure 
calls 

call <procedure name> (are) , 

where '(are)' indicates the actual parameters, a is a list of 
distinct variables, e is a list of expressions with no 
occurrence of a variable in a, and no variable in (are) 
occurs globally in the procedure body (unless it happens to 
be a formal parameter). 

An interpretive model M[ I ] is given by (I ,R,S,A,JI) , 
where I is an interpretation of L 2 ; R is an infinite set of 
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registers the set S of states consists of the 

mappings s : R -*• U, where U is the domain of values given by 
1; the set A of v ariable assignments consists of the 1-1 
mappings <5 : V - R, where V is any finite set of variables in 
L,; and the set II of procedure assignments consists of the 
mappings tt : (procedure names} -*■ {procedure bodies} x (formal 
parameter lists}. A formula P in L 2 is true with respect to 
a state s and variable assignment 6 defined for its free 
variables y. (written: h M[I] P(s,6)) iff the formula is true 
in I under the interpretation of each y. given by the 
corresponding value s(<5(y.)). (when P has no free variables, 
we may write simply h M[I] P.) Similarly, an expression c 
evaluated with respect to a state s and a variable assignment 
6 defined for its variables (written e(s,<5)) is the result of 
applying the expression's operators in the indicated manner 
to the values of their operands as given by s and <S. Finally, 
we recursively define the function Comp, central to MCI], 
fchich naps a statement A and its initial environment, given 
by s, 5 and onto a sequence <Sj,s 2 ,...> of successive 
states encountered in its computation. 

N otation A* stands for a sequence Aj;A 2 ;...;A., j*0, of 
statements of A1[Lj,L ? ]. 

n* stands for a sequence DjjDjj...;D fc , ksO, of 
declarations of AlCI^ ,L ? ]. 

A,AjA 2 each stand for statements of A1 £Lj,L 7 ]. 
indicates concatenation of sequences of states. 
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•J Q 

K^—, where K is a procedure body, indicates the 
x ,v 

result of substituting the corresponding actual parameters 
a,e for the free occurrences of the formal parameters x and v 
(respectively) in K. 

Out (A,s ,6 is the last state in the sequence 
given by Comp(A,s,5,n), when this is a finite sequence. 


Definition Comp(A,s,6,n) ■ 

Cases A: 

begin new x; P* ; A* end -»■ <s> A Comp( begin D*; A* end ,s ’ , 6 ' ,it) 

r «(y), if y * x 


where <5 ' (y) = 




1 


, if y = x, where Xj, + ^ is the 
highest-indexed register in the 
range of 6, 


and 


r s(X.), if X. * 6 '(x) 

s'(Xi) - 1 1 

*- He 0 ), if Xj • «>(x). 


begin p(x:v) proc K; D*; A* end^ ■*> <s>~ Comp ( begin D*; A* end , 

s,6,ir') , 

n(q), if q * p 


r TT(q) , if q * p 
where ir f (q) ■ < 

<K, (x:v)>, if q » p. 


begin A^; A* end + Comp(A ] ,s,5,n)"Comp( hegin A* end . 

Out (A j , s ,6 ,ir) ,6 ,ir) 

begin end •* <s>. 

r s(X.), if 6(x) * X. 

’(xp = ( 


x:=e <s’>, where s 


e(s,6), if 6(x) - X- 


call p(a:e) ■* <s> A Comp(K^-t^, s , 6 ,77) , where ir(p) = <K,(x:v)>. 

x,v 
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i f R then else 

r 


while R do A-, -* { 
— 1 ! 


A _ f <s> "Con.p(Ai,s,6,7i) , if h Mn] Rfs.fi) 
i <s>^Comp (A 2 ,s , 6 , tt) , otherwise 
Comp (A t ,s,6,tt) "Comp ( while R do A , 

Out (A,s , 6 ,n) ,6,tt) , 
i f ^M[I] R ^ s 


<s>, otherwise 

where 6 is defined for all variables global in A and tt is 
defined lor all procedure names in A which occur globally. 


I he deductive system H with which we are concerned is 
Cook's modification ([5]) of the one proposed by Hoare for 
A1 f L 1 ,L 2 3 0.1], [2]). Each formula of H is either of the 

I{A}Q, wheie I ,Q are formulas of and A is a syntacti¬ 
cally correct statement of AUL^L^, or it is a formula of 


Notation 


a i , i=l,. 

indicates 
all calls 


P,Q,R,S stand for formulas of L^. 

1_ n . j. 

$ indicates the rule: from the formula(s) 

• . ,n (n>l) of H, deduce the formula $ of H. 

D,a , . 

3 ’ wnere D is a declaration of some procedure p, 
the rule given by with the understanding that 
of P in a and 6 are in accordance with D. 


Jhe rules and axiom schemata of H are as follows. 



rule of variable declarations 


5 x=e () { begin I)*; A* cnd}Q^ 
P{ begin new x; D*; A* end }Q 

where y has no occurrence in P,Q,D* or A*. 

rule of procedure declarations 

D^, Pj begin D* ; A* end }Q 
Pj begin ; D* ; A* end}Q 

where Dj is any procedure declaration. 

rule of compound statements 

P{A}Q, Qi begin A* end }R 
Pj begin A; A* end }R 

axiom of compound statements 

P{ begin end }P 

axiom of assignment statements 

p|{x:=e}P 

A. 

rule of conditional statements 

P5R(A 1 }Q, P§nR{A 2 }Q 
Pdf R the n A^ else A 2 >Q 

rule of while statements 

PtiQ(A}P 

Pl while Q do A}P$iQ 
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rule of non - recursive procedure calls 

p(x:v) proc K, P(K)Q 
P( call p(x:v))Q 

rule of paramo t or subst i tut ion 

v«eo f, (Pa ) -{ cal 1 p(x:v))v»eo a (Qo,)^ 

_ a _ £ a 

P( cal1 p(a:e)}Q 

where x, = xna, x\, - x-Xj; Vj ■ vniT, \ = v-v. ; a = x * ill 

x,v 

where x',v' are lists of new variables in 1-1 correspondence 
to x,v; and a^ is the restriction of a to x\uVj. 

fa fa 

Rc*ark ihis sonewhat complex rule is simplified in Chapter 
II. It is presented here in this form to put later develop- 
nent> into perspective. The reader unfamiliar with this rule 
tan skip its details without affecting his understanding the 
results of this thesis. 

rule of consequence 

P->R, R{A)S. S >0 

-PT X)<T 

Remark As they arc presented here, the rules of II are less 

t i.in rigorous in dealing with procedure declarations. If we 

were only concerned about developing a completely formal 

deductive system, we would transform each rule * * n into 
n*/Q,,... (Qi^ 

IFtf/EP—» explicitly indicating the context of procedure 
declarations D* in all cases. The rule for blocks with 
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D*/P{ begi n I)*; A* end )Q 

procedure declarations would now become - -, 

P( hcg in 1)*; Dp A* end }Q 

enabling us to "discharge" previously implicit assumptions 

about the context of procedure declarations. Similarly, the 

rule for procedures would become -—- - --» 

p(x:v) proc K / P( call p(x:v)}Q 

where p is a new procedure name, x and v arc disjoint lists 

of distinct variables which occur globally in K, with no 

occurrence of any variable in v on the left side of an 

assignment statement. Now having demonstrated that the 

informality can he eliminated, we immediately abandon the 

cumbersome notation such a step would introduce. No confusion 

should result. 

We summarize Cook's results concerning the soundness 
and completeness of the deductive theory with respect to the 
interpretive model with the following definitions and 
theorems. For proofs and more complete explanations, refer 
to Cook C SJ. 

Del* in i t ion Given a first order predicate calculus 1., and an 
interpretation I of L >t a formula P(A)Q is true in M f 11 
(denoted by: j ^ PtA)Q) iff for all states s,s' such that 

Pis,6) is true in M l] and s' - Out(A,s,6,*), Q(s',6) is true 
in Mil], where 6 is any assignment to the free variables of 
P,<} and A, and ir assigns procedure bodies and parameter lists 
to procedure names in A according to the context of A. 

Definit ion Let D be a proof system for L 7 . A proof in the 
system (H,D) is 3 sequence a^,...,a n of formulas a such that. 
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eac h 

i , I i -in, 





ot. 

is a formula 

of 1. 

1 and an axiom 

of 11, or 


1 «j 

is a formula 

of r 

orm P(A}Q and 

an axiom 

of II, or 

i ) a . 

follows from 

some 

a j, j < i, by a 

rule of 

11 or II . 


If a is a line in some proof m (II, D) we say oi s provable 
(denoted by: |—^ ^ a) . If a is a line of some proof when 
3|,...,3 n (n^l) occur as earlier lines, we write 3 ^ a. 

Cook, following Laucr, has shown that the axioms are 
sound for non-recursive programs: 

Theorem 1 If h-j| p P{A}Q then P(A}Q, where I is an 

interpretation of I,, such that 11 is sound relative to I. 

Definition Given the languages and and the interpreta¬ 
tion I of 1 ,2 with domain U, suppose A is a statement of 
Alfhj,L 2 i and Xj,...,x n are the free variables of P or A. 

Then the post relation correspond ingto P and A is the 
relation Q(Xj,...,x ) on U such that Q(dj,...,d n ) is true iff 
there is a state s and variable assignment 6 such that 
d. = s'(6(x.|')) for l,...,n, and P(s,6) is true in M[ I ], 

where s' = Out(A,s,6,n) , 6 is defined for each x^, and it is 
appropriate to the context of A. The formula Q in 
expresses the relation Q iff Q has free variables Xj,...,x 
and I (Q 1 n ) < = > Q(d, ,. - . ,d ) for all d, , . . . ,d e l). 

\ 1 , . . . , a n i 11 1 

Notation post(P,A) denotes a particular formula in which 
expresses the post relation corresponding to P and A (say, 
the one with the smallest Godel number). 





Pc I in i t i on I he language L_ is expressive relative to I, and 

L 1 

iff 

(i) '=' is in and receives its standard interpretation 
in I, and 

(ii) for every formula P in and every statement A in 

post(P,A) is defined. 

Ihcoiem 2 (Cook) Let T he a complete proof system for L 2 
(relative to I) and suppose L^ is expressive relative to 
and I. lhen P(A}Q => |—pj ^ P(A}Q, assuming A uses no 


recursion. 
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Chapter II 

rt is only by supplementing the axiomatic system that 
we can hope to extend the completeness result to recursive 
programs. If we attempted a proof of some formula about a 
particular recursive procedure p(x:v) pr oc K(p) (this notation 
indicates that the procedure body K contains recursive calls 
o( p), the only available means that offers any hope is the 
rule of non-recursive procedures. Suppose we wanted to prove 
the iormula I(call p(x:v)}Q. To apply this rule we must 
satisfy its hypothesis; i.e., we must prove P(K(p)}Q. But in 
the course of this proof it will be necessary for us to have 
proven already some formula about the recursive call of p in 
the procedure body K(p). Since the use of this rule requires 
that any proof of a formula about a recursive procedure be 
preceded by a proof of some formula about that procedure, it 
is inadequate. Hoare solves this problem by introducing a 
rule that handles the special case of recursive procedures. 

Ibis rule, as modified by Igarashi, et. al. ([7.1) is: 

rule of recursive procedure s 

P(x:v) proc K(p) P{ ca 11 r(x:v)}Q (- P{K(r)}Q 
P( cal1 p(x:v)}Q 

where r is a dummy procedure name with no occurrence in K'(p), 
and K(r) stands for K with all occurrences of p replaced by 
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The reasoning that this rule represents is this: 
Wanting to prove a recursive procedure has a particular 
property, it is sufficient to show that, assuming the 
interior, recursive calls perform according to this property, 
the procedure body has the property. It is intended that 
this rule be used in conjunction with the substitution rule 
to deduce formulas about calls of recursive procedures using 
actual parameters. 

Remark The proof that the substitution rule is sound for 
recursive procedures is identical to its soundness proof for 
non - recursive procedures as indicated in Cook [5]. 

Using the rules we now have, we may prove assertions 
about recursive procedures: 

Example 2.1 We specify L ? to be a language for the natural 
numbers which includes the factorial symbol specify I to 

be its standard interpretation, let T denote a proof system 
complete with respect to I, and create a procedure which 
computes the factorial of any given natural number: 

fact(x:v) proc if v = 0 then x := 1 

else begin new w; 

call fact(w : v-1); 


x := w*v end. 
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(Maim The formula 

(i) v>0{ call fact(x:v)}x=v! 


is 

provable. 


CD 

l=v!{x:=l}x=vl 

[axiom of assignment! 

(2) 

(vs0§v=0) d l=v! 

[theorem of T] 

(3) 

x=v!=>x=v! 

[theorem of T] 

(4) 

v>0^v=0{x:=l}x=v.' 

[(1),(2),(3), rule of 



consequence] 

(5) 

x=v!{bcgin end}x=v! 

[axiom of compound 

(6) 

w«v=v(x=w*v}x=v ! 

statements 1 

[axiom of assignment] 

(7) 

w*v=v!(begin x:=wv end}x=v! 

E(5), (6) , rule of 

(8) 

w= (v -1) ! aw* v=v 

compound statements] 

[theorem of T] 


(9) w-(v-1)!( begin x:=w*v end}x=v! 


C (3)>(7), (8) , rule of 
consequence] 
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(10) (v=v'-l§v , >0§v , ^05x=e () )^v>0 [theorem of T] 

(11) x=v!^(v=v'-l=>x=(v'-1) !) [theorem of T] 

(12) v>0{ call r(x:v)}x=v! [assumption] 

(13) v=v'-15v , >0av , ^05x=e 0 (cal] L r (x:v) }v=v’-l=>x= (V-1) ! 

[(10),(11),(12), rule 
of consequence] 

(14) v>0§v*0§w=e 0 { call r(w:v-1)}w=(v-1)! 

[(13), rule of parameter 
substitution] 


(15) 


(16) 


v>0$v*0$w=eQ{ begin call r(w:v-l); x:=w»v end}x=v! 

[(9),(14) , rule of 

compound statements] 

v>0$v*0{ begin new w; call r(w:v-l); x:=w*v end}x=v! 

[(15), rule of variable 
declarations] 


(17) v>0{ij[ v=0 then x:=l 

else begin new w; 
call r(w:v-1); 

x:=w*v end }x=v! [(4),(16), rule of 

conditional statements] 


(18) v>0{call fact(x:v)}x=v! 


[(1)-(17), rule of 

recursive procedures] 
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The fundamental question regarding the completeness of 
the supplemented deductive theory when recursion is included 
naturally centers around the new rule. For what formulas 
(about recursive calls with formal parameters) can the rule’s 
hypothesis be satisfied? We would be fortunate indeed if the 
proof of every formula went as smoothly as the example above. 
This is not the case, however. it is easy to see that the 
formula 


(ii) v> 5 ( call fact(x:v)}x = v! 

is true in our model. In order to prove (ii) using the rule 
of recursive procedures directly, we would have to use a 
proof analogous to the one displayed in Example 2.1. At the 
step corresponding to line (10) the attempt fails, since 

(v = v' -l§v' >5§v'*05x=e 0 )=>v>5 

is false in our model, but it is required in order that the 
rule of consequence yield the necessary hypothesis to the 
rule of substitution. It so happens that (ii) is still 
provable, however, since the rule of consequence allows us to 
deduce it from (i) and the fact that h T v>5=>v>0. 

Showing completeness for all programs, recursive or 
not, still would be a simple matter if it could be shown that 
all true formulas about recursive calls which did not follow 
from an immediate application of the rule for recursive 
procedures did follow by the rule of consequence from some 
formula that already has been proven. Apparently, even this 
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is not the case. Consider the true formula 

(iii) v>5{ call fact(x:v)}x>120. 

An attempt to prove this by an immediate application of the 
rule of recursive procedures fails for the same reason that 
the attempt to use this approach to prove (ii) fails. 
Furthermore, we find that the rule of consequence can't be 
used to derive (iii) from (i) or (ii) , since x=v!=>x>120 is 
false in our model. 

An approach to a resolution of this difficulty in 
proving (iii) is indicated by the observation that its truth 
depends not only on those properties of fact(x:v) that make 
(ii) true, but also on its property that the value of v 
remains unchanged when it is invoked. Formula (iii) won't 
follow from formula (i) because its truth depends on more 
information than (i) provides. We have this necessary 
additional information in the formal parameter list for the 
procedure. Since v is to the right of the colon, its value 
cannot change. Perhaps it will suffice to introduce a rule 
which allows us to glean this sort of information from the 
syntactic structure of parameter lists. However, with a 
simple modification we can design a new procedure factl(x,v:), 
identical to fact(x:v) except for the structure of its 
parameter list. The value of v would still remain unchanged 
by a call to factl, but we wouldn't be permitted to deduce 
this from the syntax of the call. So our proposed rule is 
not sufficient and we will need something more powerful. 




What wo introduce assures that one special, true formula 

about any particular recursive procedure is directly provable 

using the rule of recursive procedures, and any other true 

formula about that procedure follows from this special one. 

The completeness result for recursive programs is then 

obtained by exhibiting, for each recursive procedure p, a 

"most general formula" a such that f- a , and a h 8 for all 

P P P 

true formulas about p. 

Since the formula will be used as the basis for 
proofs of other true formulas about the procedure, the obvious 
candidate for such a formula is one that completely indicates 
the computation performed by any call to the procedure. The 
following example makes clear just how important it is to 
record somehow the initial values of variables. 

txamplo 2.2 Let L^ = L, = L^, the standard language for 
number theory. Consider the recursive procedure 


fact2(x,v:) proc if v » 0 t hen beg in x := 24; 

v : ■ 4 end 

else ca11 fact2(x,v-1:). 


We note that 


(iv) v>0( cal1 fact2(x,v:))x"v! 
is true. The formula 


(v) vsQfcal1 factl(x,v:)}x=v! 
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is also true, as indicated above, but these two procedures 
arc hardly equivalent. It is not simply the case that, 
similar to the results of a call of fact2, a certain relation¬ 
ship happens to obtain between terminating values of 
variables after invoking factl. To show exactly what is 
computed during a call of factl, wc would have to indicate 
that the occurrences of *v* in 'v>0' and 'x=v!' represent the 
same value. The technique wc use is the introduction of new 
variables which don't appear in the procedure, permitting 
ourselves to make use of the obvious fact that their values 
cannot be changed by any call of the procedure. 

Definition Given a procedure p(x:v) proc X, a most general 
formu1 a for p is a formula 

u-c( ca 11 p(x:v)>post(u«c,K), 

where c is a list of those variables which either are formal 
parameters or have a global occurrence in X, and u is a list 
of new variables in L, with no occurrence in x,v, or K, in 
1-1 correspondence with the variables of c. 

Remar k Every most general formula for any procedure p is 
true, by the definitions of post(P,A) and Comp. Note that 
the only restriction introduced by the precondition u=c is 
that 6 be defined for the variables of u. 

The rules we now adopt are strong enough to allow 
us to deduce a formula which lacks the new variables u and 
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yet h;is .1 post condition that may depend on the informat ion u 
provides in the most general formula. 

rule of variable suhstitut ion 

P( call p(.7:c)}Q 

_ _ t 

Po( eall p(a:e))Qo 

2 * 

where o ■ — is a substitution of expressions for variables 
z 

such that i) no variable in z occurs globally in K^-^- (where 

x,v 

p(x:v) proc K) and ii) for each variable of some expression 

in z' which happens to occur globally in K^-~, the 

x ,v 

corresponding variablc(s) of z has no occurrence in Q. 

Remark The substitution o, like all substitutions in this 
thesis, is understood to affect only the free occurrences of 
the indicated variables. Furthermore, it is understood that 
all bound occurrences of a variable are automatically 
replaced by a new variable when this is necessary to avoid 
clashing with the substitution o. 

lhis rule of variable substitution is sound. The 
proof of this depends on a general property proved in Cook 
[ 51 : 

I 

Pl PP« \ If (s,6) and (Sj,6j) are two state, variable 
assignment pairs such that s($(z)) = s l (6 ] (z)) for all z with 
a global occurrence in a statement A of AULj.LJ, then, 
given s' • Out (A,s ,«$ ,ir) and sj = Out (A,Sj ,w) , either 
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s* (6(2)) * s|(6^(z)) for all z global in A or neither s’ nor 
sj are defined. 

Le mma 1 For any model M[I] of A 1 [L|,L ? ], given a procedure 

p(x:v) proc K, a syntactically correct call call p(a:c), and 

a substitution a - — of expressions for variables such that 

z _ 

i) no variable in z occurs globally in and ii) for each 

x,v _ 

variable of i' which happens to occur globally in , the 

x,v 

corresponding variable(s) of 1 has no occurrence in Q, if 
l= Mf 1 1 Pi call p(a:e))Q, then H MLt j Pgf call p(a:c)>Qo. 

Proof Fix MCI]. Suppose p and a are given as above and 
^M[I] P{£*lL! Suppose that for some state s and 

variable assignment 6, Po(s,rt) is true in MCI] and 

% 

s* • Out( ca 11 p(a:c),s,6,») is defined. Define the state s^: 
Sj(6(r)) « z'(s,6) and Sj(6(y)) = s(6(y)) for all y not in z 
for which 5 (y) is defined. Then P(Sj,6) is true in MCII. 

Since no variable of z has a global occurrence in K—, 

x,v 

s(< 5 (y)) = Sj(6(y)) for each variable y with such a global 

occurrence. By the definition of Comp for procedure colls 

and by Prop. 1 , sj ■ Out ( ca 11 p(a:e) ,Sj,6,ir) is defined and 

s'(6(y)) 3 sj(5(y)) for each y occurring globally in 

1 x ,v 

Note that Q(sj,3) is true in MCII. For each variable y not 

— a ,c 

in 2 that has no global occurrence in K3 8 —, 

x,v 

s{(6(y)) « SjCdCy]) - s(6(y)) • s’(6(y)). Also, for each 
variable 2 in 2, if no variable in the corresponding 
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expression z' occurs globally in then 

x,v 

sj(6(z)) = SjCiCz)) = z'(s,6) = z'(s',6), and if z' does 

include some variable global to K^|, z doesn't occur in Q. 

x,v 

From these equalities and the fact that k, rT -. QCskS), it is 
easy to see that Qo(s',6) is true in M[I]. 

1 he second new rule which we adopt isr 

rule of conjunction 

Pi ca 11 p(a:e)}Q. P{ call p(a:e)}S 
Pl call p(a:e)}Q§S 

ior any assertions P,Q,S and any procedure p. 

the soundness of this rule is easily established. If 

^M[ I ] P{A >Q and H Mr J -J P(A}S, and s,6 are such that P(s,6) is 
true in MCI] and s' = Out (A, s, 6 ,tt) is defined, then S(s',6) 
is true in MCI] and Q(s',6) is true in MCI], and hence 
Q§S(s',6) is true in MCI]. 

Our final addition to the existing system is the 
following. 

axiom of invariance 

Pl call p(a:e)}P, 

where F is any assertion which has no variable occurring in a 
or e (or globally in the procedure body K, if p(x:v) proc K 
has been declared - that is, if p is not simply a dummy 


. 


procedure name). 
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The restriction on the assertion P guarantees the 
soundness of this axiom. 

Remark If there is no restriction for dummy procedure names 
corresponding to the axiom's parenthetical restriction for 
actual procedures, we can deduce some formula P{ cal1 r(a:e)}P 
with a dummy procedure name r (corresponding to p(x:v) proc K) 
in which P has variables global to K. In particular, if we 
allow such a deduction in a subproof required by the 
hypothesis of the rule for recursive procedures, we can prove 
false formulas. To avoid this difficulty, we may disallow 
procedure bodies with global variables. There is precedent 
for this (e.g., Hoare [2]). An alternative is to recognize 
that this question of soundness with regard to a dummy 
procedure name only arises when it is associated with an 
actual procedure name. In such a case, we can apply a 
restriction similar to that for actual names, requiring that 
P not contain any variable global to the body of the actual 
procedure that is associated with the dummy procedure name. 

It is assumed for the remainder of this thesis that 
one of these alternatives, either restricting the syntax of 
procedures or restricting the application of this axiom, is 
chosen. Remaining proofs include the case of variables 
global to procedure bodies, in case the reader prefers the 
second choice. Without one of these restrictions the proof 
for the soundness of the recursion rule will fail. 
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Remark The rule of conjunction and the axiom of invariance 
are simple and intuitive. The rule of conjunction is at 
least derivable for non - recursive procedures p, by the 
completeness result for non-recursive programs. The axiom of 
invariance is derivable for all procedures p, recursive or 
non-recursive. The problem with both of these is that there 
is no apparent way of deriving them when they are applied to 
dummy procedure names. In such a case we have no procedure 
body to allow us to use one of the recursion rules, and the 
other rules which might conceivably apply (the substitution 
rules and the rule of consequence) seem to be of no help. If 
there is something that makes proofs of correctness for 
recursive programs qualitatively more difficult than proofs 
for non-recursive program, it lies here. 

When he first presented his deductive system, C.A.R. 
Hoare acknowledged the difficulty which prompts our 
introducing the new rules and axiom. Without making any 
claims concerning the completeness of the resulting system, 
he, too, proposes adding a new rule: 

rule of adaptation 

_ P{£all. p(a :e) }R _ 

3c(P$Va(RoS)){ call p(a:e)}s’ 

where k is a list of all variables free in P or R but not in 
a,e or S. The motivation for this rule is to allow "the 
assumed properties of a recursive call to be adapted to the 
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particular circumstances of that call. The formulation of 
rthe] rule of adaptation is designed in such a way so as to 
permit a mechanically derived answer to the question, 'If S 
is the desired result of executing a procedure call, 
ca l 1 p(a:e), and P{ cal1 p(a:e)}R is already given, what is 
the weakest precondition W such that W{ call p(a:e)}S is 
universally valid?'" (Hoare [2]). 

The rule of variable substitution and the rule of 
conjunction are quite natural and seem much easier to apply 
than the rule of adaptation, besides being more suited to our 
approach using most general formulas. In addition to these 
advantages, the introduction of the rule of variable 
substitution makes it possible to simplify an already existing 
rule. The version of the rule of parameter substitution that 
we have accepted is proposed in Cook [5] as a replacement for 
the simpler but apparently insufficient rule suggested in 
Hoare [2], lloare's rule is 

rule of parameter substitutio n 

P{ call p(x:v)}Q 
p k ' > a > e { C all 

k,x,v F,x,v 

where the substitution — indicates the renaming of any 

variables in P or Q which are not in x or v but which happen 
to occur in a or e. Cook abandons this simpler rule for the 
one given in Chapter II in order to guarantee that true 
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tormulas such us x- 1 ( caI 1 p(a:))x m l arc provable, where 
p(x:) proc K. These formulas do seem beyond the power of 
lloare's version, hut the newly introduced rule of variable 
substitution complements matters nicely, making Cook's 
revision unnecessary and allowing us to reinstate lloare's 
simpler rule of parameter substitution. Thus, a completeness 
proof for Hoare's system, even if it included his rule of 
adaptation, would apparently still require a new rule 
analogous to the rule of variable substitution. We let H' 
denote the deductive system obtained by adding to H the axiom 
of invariance and the rules of variable substitution and 
conjunction, and replacing its rule of parameter substitution 
with lloare's rule of parameter substitution. Proofs for the 
soundness of the latter and for the completeness of 11’ for 
non * recursive programs are found in Appendices I and II. 

With the rule of variable substitution, we now have a 
deductive system H',T that is powerful enough to prove a most 
general formula a for any recursive procedure p, and powerful 
enough to deduce any true formula about p from a. This 
augmented deductive theory still does not provide us with the 
moans for proving formulas about every sort of program in 
MCLj.L^l. In particular, wc would like to be able to handle 
the case where a program A defines two procedures, each of 
which calls the other, as well as programs with procedures 
which arc defined in terms of each other in more complicated 
ways. This requires the introduction of a more general rule. 
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of which the rule of recursive procedures is simply a special 

ease. 

Definition A recursiv e cycle R is a set of procedures with 
the properties: 

a) each procedure in R calls only procedures in R , and 

b) there is a non-empty subset R' of R such that every 
procedure in R* calls some procedure in R' and is called by 
some procedure in /?*. 

Example 2.4 Procedures are indicated here by letters, and 
arrows point from invoking procedures to the procedures they 

invoke. 



{w}, {t ,u,v), {p,q,r,s,t,u,v,w}, 
(p,q,r,s,t,u,v,w,z) 
(p,q,r,s,t,u,v,w,y) 
(p,q,r,s,t,u,v,w,x,y) 
(p,q,r,s,t,u,v,w,y,z) 
{p,q,r,s,t,u,v, w t x,y,z). 
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rule of recursion 


p j( x i : Vi) Proc A.fp*. p^ ), i-i. n 

P^call r 1 (x 1 :v 1 )}Q 1 ,...,P n {call r n (x n :v n )}Q n ^ 

P i {A i (r l»* • • lsi 


sn 


Pifcall P^x-iv.)^, 

where stands for the j th procedure to occur (syntactically) 

in a call in the procedure body corresponding to procedure 

P i* where {p./lsisn} is a recursive cycle, and where each of 

the n distinct dummy procedure names rj (i-l,...,n; j«l,...,m.) 

'P the corresponding procedure names pf in the procedure 

body A. of p.. 

2 The rul © of recursion is sound. 

Ll£ 2 i Suppose we are given Lj and L 2 , a model MCI] for 

A1CL 1 ' L 2 ] > and a P ro °* system T of L 2 , consistent and complete 
relative to I. Suppose the hypothesis of the rule is 
satisfied by some procedures p.(x.:v.) proc (pj ,... , p * ) 

which form a recursive cycle. By the soundness of the rules 
and axiom schemata of H' we know that for each j, lsj sn , 

Pi — = .„ (-MCI) W4 . 

(This notation means that when we substitute names of actual 
procedures for the dummy names, and the formulas on the left 
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side arc true in MCI], the formula on the right is true in 

Mill.) I.et Pj< 0 >(x^:Vj) be a procedure which never halts, for 

j * Define inductively Pj<k>(Xj:Vj) proc A.(p-*<k-l>, 

p** <k • 1 >,... ,p^ <k-l>) for each j,k. Note that for each k and 
j 

y * Pj < * l> behaves exactly like p^ if there are at most k-1 
procedure calls encountered in computing Comp(p.<k> (Xj :v.) ,s , 
5 ,n), and it never terminates otherwise. 


We show that if P^(s, 5 ) is true in M[I] and 
s’ * Out ( call Pj(x-rVj) ,s,6,x), then Q.(s',6 ) is true in 
M II, for each i = l,...,n, by induction on the number of 
procedure calls p! that arc encountered in computing 
Comp( call p.(x i :v i ),s,d,»). 

Basis Fix i. Suppose Pj(s,6) is true in MCI] and 

s’ - Out ( cal 1 P|< 1 >(X|:v.),s,6,v). By the rule's hypothesis 


and the soundness of the other rules, 

p^can Pj<o>(vV ,Q j'j=i .n Nun VV>i‘0>.pi 

n 

Since Pj< 0 > never halts, h M[J] P.{ call p.<0>(x.:v.)}Q for 
each j - l,...,n. Hence j P j fA. (p|<0>, ... ,p ( j<0>) }Q t and 

(using the definition of Comp) h M( y re call p.<l>(x.:v.)}Q.. 
Thus, by our supposition, Q.(s',6 ) is true in M(I). Since i 
was arbitrary, we have our result for all i, lsi<n, when no 
recursive calls are encountered. 


ind u cti o n Hypothesis Suppose n P.< call p.<k>(x A :v.))Q i 
for any k s K and each i * l,...,n. 



I 


- 30 - 


Inductive Step Fix i. Suppose is true in M[ I ] and 

s' = Out ( call p. (xLrv.) ,s,S,tt) is defined with K calls of Pj 
encountered . Then s’ = Out ( call p^<K+l>(x^ •) > s > ^ j 11 ) • p y 
the hypothesis and the soundness of the other axioms, 

P.lcaU p j <K> (x j l= M[I] P i^ A i CpJ <K> > * • • »P m . <K> } }Q i 

t _ _ 

By the induction hypothesis, j-| Pji call Pj <K> (Xj : Vj) > Q j f° r 
o;ich i = l,...,n. Hence, \= M[ ^ P i^ A i (Pi <K> »• • • »P^ i <K> ) }Qf • 

But by definition of Comp, this means 

b M[I1 P i {call P i <K^l>(x i :v i ))Q i . Therefore, Q^s',6) is true 
in MCI]. This completes the induction step, so by mathematical 
induction P^( call p^ (x^ : v^) )CK . Since i was chosen 

arbitrarily, l<i<n, this is true for all i: l<i^n. The rule 
is therefore sound. 


Let (H",T) be the deductive system for A1[L 1 ,L 2 ] 
obtained by adding the rule of recursion to (H',T), where T 
is a complete proof system for L ? . 
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Chapter III 

The proof of the completeness of the system (H",T) 
for all (recursive and non-recursive) programs in A1[L- L ,L 2 ] 
depends on a proof that P( call p(x:v)}Q => 

P{ call p(x:v)}Q, and this is shown by introducing most 
general formulas, as mentioned earlier. Given a recursive 
cycle R = {p,. . . ,p n > , a most general formula 
P i (ca_n p i (x i :v i )}Q i for each p t in R and any true formula 8 
about these p^, we prove that 

(i) P^call r i Cx i :v i )}Q i | i . 1> n h 6(r 1 .r n ), 

where B(r lf ...,r ) indicates the result of substituting a 
unique dummy procedure name r^ for each procedure name p^ in 
$. Thus, in particular, when we take 8 to be Pj(A^}Q^, where 
Aj is the procedure body for Pj, for some j, l<j<n, we have 
that 


(ii) h Pj( call Pj(Xj:vj) }Qj , 

by the general recursion rule. The proof of (i) will 
establish that P^call p^x^v^) }Q i I i = 1? . . . >n h Noting 
that (ii) holds for any j, l<j<n, it will follow that (- 8. 

Definition For any statement A of AlCL^,!^], the length of 
A, denoted by *|A|*, is defined recursively as follows: 
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I A | = 

cases A: 
x : = e -* 1 
begin end -*■ 1 
call p(a:e) -> 1 

begin A x ; A* end -*■ |A 1 | + | begin A* end | 

begin new x; D*; A* end -> | begin D*; A* end| + 1 

begin P(x:v) proc K; D*; A* end -► [ begin D*; A* end| + 1 

if. R then Aj else A 2 |A 1 | + |a 2 | +1 

while R do_ Aj -► | Aj | +1. 

Before beginning the completeness proof we recall 
some facts proved in Cook [S3: 

1 * ^MCI ] P{ begin A l ; A * end}Q => 

^M[I] p{A i^P°st(P,A 1 ) and f= M[I] post(P,A 1 )( begin A* end}Q. 

2 * ^M[I] P ^ begin new *5 D*; A* end}Q => 

^M[I] P y^ x ~ e Q^ b egin A * end )Q~> where y is any new 
variable with no occurrence in P,Q,D* or A*. 

3 ‘ hn[I] P ^— R then A ! else A 2 >Q => 

^M[I] p S R < A i>Q and f= M[I -, P§nR{A 2 )Q. 

4 ‘ ^M[I] P^ wb He R do A-^jQ => 

^M[I] inv ( p » R > A 1 )§R(A 1 }inv(P,R,A^), Cl(Poinv(P,R,A 1 )) is 
valid in M[ I ], and Cl (inv(P,R,A^) §nR. =»Q) is valid in M[ I ] , 
where 'inv(P,R,A 1 )' stands for the loop invariant for this 
formula as constructed by Cook. 
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For the remainder of this chapter we shall assume 
that we have a fixed language AlCI^,!^} and model M[ 11 such 
that L ? is expressive relative to and I, and a fixed proof 
system T for l^, complete relative to I. 

Lemma 3 Given a procedure p(x:v) proc A which may or may not 

be in a recursive cycle, f= M |- j -j Pt call p(a:e)}Q => 

|= rT -, 3<e>x (v=ex § Px—) {call p (x : v) }3<e>x (v=ex $ Qt*) , 

1 Ml IJ a 

where t indicates the substitution of a unique, fresh 

variable y' for each variable y which is either i) in e or 

ii) in x or v but not in a, and <e> indicates a list of the 

variables which occur in the expressions e. 

Proof Suppose N= Mf - j P( call p(a:e)}Q, and suppose we are 

given a pair s,6 such that 3<e>x (v=ex § Px*)(s,6) is true in 

a 

M[ I ] and s' = Out ( call p (x :v) , s , 6 ,tt) is defined. Define the 
state s x : s^fifa)) = s(6(x)), s^SCy)) = s(6(y')) for all 
variables y in x or v but not in <e> or a, s^(6(<e>)) = J, 
where J are the values which satisfy 3<e>x in the precondition, 
and s 1 (6(y)) = s(6(y)) for all other variables y for which 
s (6(y)) is defined. Note that P(s 1 ,6) is true. From the 
equations s 1 (6(a)) = s(6(x)), e(s lf 6) = s(6(v)), and 
s-^CSCy)) = s(6(y)) for all variables y global to A, it 
follows by Prop. 1 that sj = Out ( call p(a:e) ^ ,6 ,tt) is 
defined, with sj(5(a)) = s*(6(x)), e(s',6) = e(s 1 ,6) = 
s (6(v)) = s'(6(v)), s’(6(y)) = s’(6(y')) for each variable y 
in x or v but not in <e> or a, and s|(6(y)) = s'(6(y)) for 
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•ill other variables y where s‘*(6fy)) is defined. Hence, 

Q(sj,<S) is true in Ml M. Therefore, 3<c>x (v=cx l, Qt—)fs* 6) 

.7 

IS true in MlH: sj(6(<c>}) gives values which satisfy the 
existential quantifier. 

I 

lowuna 4 Given any procedure p(x:v) proc A, 

3 " C> ' (v = OT Pr lHcaU P(x:v)n<c>t (v»cx f, Qx*) (- Pfcall pfa ;c) }Q, 

1 ;i 

where T indicates the substitution of a unique, fresh 
variable y» for each variable y which is either i) in e or 

H) in * or but not in «nd where <e> indicates a list of 
the variables which occur in the expressions c. 


—- suppose (- 3<e>x (v-cx <j Pxi)(eall pfx:v))3<e>x (7=et f, Ox 
The deduction goes as follows: 

(- 3<f>T « r,Hon p(a ; c)l3<F> T C, Qt) 

rparameter substitut ion 1 

|- 3'C r (e-ex h Pt J > ) f ca 11 p(a:c))3<e>x fe=cx ti Ox I - ) 

x 1 <c> * 

variable substitution! 

indicates the restriction of the substitution t to 
variables in <c>.) Noting that Pa3<0>, 5 Pt ^_ , (the 

corresponding values of <c> satisfy the quantifier) and" 

- . < (t e. 1, I <^*>) 'Q » we have f- l*f ca 11 p(a:c))Q by the 
rule of consequence. 

Unuj»a_5 Given any procedure p(x:7) proc A, let c be a list 
all variables either in x or 7 or with a global occurrence 
^M[I] **fcal_l p(x:v))S for some assertions R and S 


Ixl I a 
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in L 2 , then u«c{ cal 1 r(x:v)}post(u=c,A) h,j. T M eal 1 r(x:v))S, 
where u is any list of new variables (i.c. not in R,S,c) in 
1-1 correspondence with those in c, and r is any procedure 
name such that the indicated call is syntactically correct. 

Rr0 °f Suppose p(x:v), u and c are given as above, with 

^‘m | | R - ca11 P(x:vJ}S and suppose |-^ { , T u-c( cal 1 r(x:v)}post(u=c,A). 

he must show T Re call r(x:v))S. By the axiom of 

invariance, \- R-f call r(x:v)}RH. Therefore, by the rule of 

c_ c 

conjunction, |- R^u=c{ call r (x :v) }R^post (iT-c ,A). Since 

c c 

R§u=coR^u=c, h Rfru=c{ call r(x :v) }R“$post (u=c,Aj . Now, 
c _ c 

suppose post (u=c, A) f t R^(s ’ ,6) is true in MCIJ for some s',6 

c 

pair. Then there is a state s such that u=c(s,6) is true in 

MCI] and s' = Out (A,s ,6 ,tt) . Let z be a list of those 

variables in R or S which aren't in c. Since no variable in 

u or i occurs globally or as a parameter in A, 

s' (6 (u)) - s(6 (u)) and s’(6(z)) = s(<S(z)). So R^(s,6) is 

c 

true in Mil. Since u=c(s,6) is true, R(s,6) is true in M[I]. 

Since Out ( call p(x:v) ,s,6,i») * 0 ut(A,s, 6 ,x) and it is assumed 
that H Mrr] R( call p(x;v))S, S(s',6) is true in MCI], 

Having thus shown that post (u»c,A)f t R^. =>S is valid in 

c 

Mf 13 , by the completeness of T and the rule of consequence we 
have h R$u=c( cal 1 r(x:v)}S. Applying the rules of variable 
substitution and consequence, T R( call r(x:v)}S. 
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Coro 1 1 ary If ( ( K { c a 1 1 p(x:v))S, then 

u*cic:i 11 pU:7))posr<u=c,A) |- JIt r R( cal 1 p(x:v)}S, where all 
notation i* as given in the above lemma. 

Lemma 6 Given a statement A(P|,...,p n ) of A1 [Lj # L 2 J, where 

v**JLi Pj( ; ^j :o j) is the i*^ procedure call (syntactically) in A 

of any procedure in any recursive cycle, if K„ . . P(A(p,,...,p ) 

ml I J 1 n 

ti.cn iyejUjin .„ h 

P{A(r^ ,.. ., r jt ) }Q, where the r. arc any syntactically correct 

J 

procedure names, ACrj,...,^) is A(Pj,...,p n ) with p^ replaced 

»>>' r j lor ) i»**»»n, and, for each j = l,...,n, c\ is a list 

o! the variables global to the procedure body A. of p. 

m J J 

including \j and v j) and ir is a list of completely new 

variables in 1-1 correspondence with those in c j . The lists 

u , have the property that the two variables in u. or u. 

J * 

corresponding to a variable c common to c. and c. are 

J k 

identical. 

Proof (by induction on |A|). 

Bast s |A| » l. 

S asc I A is form x e. Then A(r lf ,,.,r ) is A and 
the result follows hy the completeness result for non- 
rccursivc programs. 

case_i_i A is of form ca 1 1 Pj(a:c). Suppose 
^M(I) P{ ca11 P,(a:c))Q. Then by lemma 3, 

11 J< ^ >T Cvct & Prj) ( ca 1 1 p (x: v) }3 <c>t (v=ex Qx*), 
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where <e> and t are as indicated in the lemma. So, by lemma 
5 , ( call rj(x:v) Jpostfuj-Cj ,Aj) h 

3 <e>T (v=et 5 Pt-) ( cal 1 r.(x:v)) 3 <e>x (v«cx G Qx*). Noting 

a 1 a 

that lemma 4 is a purely syntactic property (i.e. its proof 
is still valid if we substitute any other syntactically 
correct procedure name for p), wc have 
u, »Cj (c all pj (x :v) Ipost (u^c j ,Aj) |- P( ca 11 pj(a:e)}Q. 

Induction Elypothesis We assume the lemma is true for nil 
statements A with IA| * k. 

Inductive Step Let A be a statement with |A| ■ k+1. 
case i A is of form Lf R then Bj(pj,...,p ) else 

j * • • • * I f ^j -j P( A}Q, then j ^ Bj (Pj , • • • »P m ) • Q 

and Hyrjj P 5 iR(B^(p m>1 ,...,p n )}Q. The induction hypothesis 
applies to each of these, so 

u ( call r j(*j : ^j))P° st ^j"^j» A j)lj-i•" P8RCB 1 (r 1 »...,r || )}Q 

and Uj-c^caU :v.) (post (Sj-Cj ,A.) |. „ ntl . n H 

PS-»R(B2 ( T m+ 2»• • • » r n ) )Q. Using the rule of conditional 

statements, u-«c.{call r.(x.:v.)}post(u.-c.,A.)|. . n h 
J J J ) J J J J J 

P(A(r j,...,r^))Q. 

case ii A is of form while R do B^ . If j , P(A}Q, then 
11 inv ( p » R * A |HR(A 1 (Pi ,... ,p n )}inv(P, R ,A 1 ). The induction 
hypothesis applies here and allows us to conclude that 

V‘j ( — r.Cx j :f J )po*t(S j =c..A j )| j . 1 . n h- 

inv(P f R,Bj) 5 R(Bj (rj,... ,r n ) }inv(P,R,B.|). Using the rule of 
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while statements, u.=c.( call r.(x.:v.)}post(u.=c.,A.)|._ f- 

invCP^.Bj) {BjCrj , . . . ,r n )}inv(P,R,B 1 )§-iR. Since 
ClCP^invCP.R.Bj)) and Cl (inv (P, R, B x ) $ ->R. =Q) are valid, by the 
completeness of T and the rule of consequence we have 
er.=c {call r £:7 )}post(; =J A )| (- 

PiBj(r 1 ,...,r n )}Q. 

^- se 111 A is of form be S in B iCPi,-.-,P m 3; B *(P m+ i>--->P n ) 

—• If N M[I] P{A,( 5> then ^ M [ 11 PfBjJpostCP.BjfPj.p m )) 

:ind P M[I] P ost (I’.Bt (p 1 , • • . ,P m ) H begin B* endlQ. The induction 
hypothesis applies, giving us 
iTj-c.tcall r j (x j :v j )}post(u..c.,A.)| j . 1> _ ->>]n |- 
P{B 1 (r 1 ,... ,r jn )}post(P,B 1 ) and 

r J (x j :T j )}po. t (n J -c J ,A J )| j „ +1 .„ h 

post(P,B^){ begin B *C r m+ 2 »•••j r n ) end }Q. Thus, by the rule of 

compound statements, u=c ,{r (x :v.)}post(u.-c.,A.)I. , u 

J J J 3 3 3 3 3 1 J=l,•••,n r 

P{A(r 1 ,...,r n )}Q. 

case iv A is of form begin new x; D*; A* end. If 
^MCI] P ^ A ^Q> then P^$x:= e 0 { begin D*; A* end}Q^, where y 

is a new variable with no occurrence in P,Q,D* or A*. The 
induction hypothesis applies and so 

U V ? P— r j (x j :v J ) ) po.t(u J -c j .A j )| j .i.n H 

P x 5lt e 0 ( ^ in » A * (r^ ,. . . , r n ) end }Q^. Applying the rule of 
variable declarations we have 


uj-cpcall :v j )}postCu j =c ;j ,A j )| j = 1 _ 

These four are only possible cases 


• ,n 
, so 


f- P{A(r x , . . . ,r n ) }Q. 
, by induction, 


the lemma is proved. 
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Rcm:irl< Thc procedure names r. are introduced to make it 
clear th.it the indicated deduction is purely syntactic - in 
practice, we will use this result with the actual procedure 
names p. (in which case A(rj,...,r n ) is simply A) or with 
dummy procedure names required by the general recursion rule. 

Theorem 3 (liven any statement A of A1[L L ], if \= P{A}Q 

-L L* K1 l_ 1 J 

then P{A}Q, where P and Q are any assertions in L^. 

H r ° o1 II A is a non-recursive program, the result follows by 
Theorem 2 and the arguments in Appendix II. On the other 
hand, suppose A invokes some procedure in a recursive cycle. 
Let Pj,...,p n be the syntactically ordered list of all such 
procedures in A. (Note that this is not necessarily a list 
of distinct procedures.) Suppose t= M[ jP(A}Q for some 
assertions P,Q of L 2 . Then, by lemma 6, 

Uj=Cjfcall Pj^j^jOJpostCu^c. ,A.)| j=1 ^ _ ^ (_ P{ A }Q, where 
the lists of global variables cand new variables u. and the 
dummy procedure names r^ are as indicated in that lemma. 

Noting that t= M{ - j -j u j =c j (Aj }post(Uj=Cj , A^ ) for each j, l<j<n, 
by lemma 6 we also have that 

u k =c k {call r k (? k :v k )}post(iT k =E k ,A k )| k=lj >n |_ 

u j =c j {A j (r l ’ " " r rn ) }post Cu j =c j > A j 3 for each j, lsjsn. This 

is the hypothesis of the general recursion rule, so we have 
that hu^Cjfcall p. (x. : 7 .) }post (u . =c. ,A .) for each), l<j< n . 
Thus, (—,j, P{A}Q. 


40 


Appendix I. Soundness of Hoare's parameter substitution rule 

Suppose P( cal 1 p(x:v)}R for some procedure 

p(x:v) proc A. Then r j n J,e - { call p (a: e) }R ^ , where 

k, x, v k, x, v 

k is a list of those variables not in x or v which occur in a 
or in some expression in e, and k' is a list of new variables 
in 1-1 correspondence with F. 

Proof Given j -j P { call p(x:v)}R, suppose P ^ ^_ a - ^ e (s , 6) is 

k,x,v 

true in MCI] and s’ = Out ( call p (a: e) , s , 6 ,tt) is defined, for 
some state s and variable assignment 6. Define the state s 1 : 
s^SCx)) = s (6 Ca - )) , Sl (6(v)) = e(s,6), S;l ( 6(F)) = s(6(F')), 
s^(6(y)) = s(6(y)) for each y not in x,v or F for which 
s C <5 C y)) is defined. Since x,v,F are disjoint lists, this is 
well-defined. Note that P(s 6) is true in MCI]. By Prop. 1 
and the definition of Comp for procedure calls, 

s { = Out ( call p (x • v) , s 5 ,ir) is defined, with s|(6(x)) = s’(6(a)), 

s lC«(v)) = e(s,6) = e(s\6), s'(6(F')) = s(6(F’)), 

s^(6(k)) = s^(6(k)) (because we disallow occurrences of a" in 

the procedure body), and sj(6(y)) = s'(6(y)) for all other 

variables y where this is defined. Therefore, sJ(6(F)) = s'(6(F')). 

R - , - i a l e (s , ,6). 

F,x, v 


KlCIJ r Cs{, 6) , so t= M[I j 
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Appendix II. Completeness of (H',T) for non-recursive programs 

The proof is identical to Cook's proof for the 
completeness ol II, except for the case of procedure calls in 
the inductive step. We must show that t= M[ j ] P{ call p(a:e)}Q 
= > (- P{caH p(a : e) }Q, where [| call p(a :e) || = k + 1 and the 
induction hypothesis states that the axioms are complete for 
all programs B with || B || < k. (The notation ' || B ||' stands for 
the number of procedure calls in B plus the length of the 
result ol substituting the corresponding procedure body (with 
formal parameters replaced by actual parameters) for each 
procedure call.) If Pfcall p(a:e)}Q, then by lemma 6 

hvfCIl ^ <e>T 0=et 5 Px*) ( call p(x:v))3<e> x (v=ex § Pt-) so 

a a 

by the definition of Comp for procedure calls, 

N M[I] 3<e>T ( v=eT § Px*){A}3<e>x (v=er § Px-) , where 
_ _ a a 

p(x:v) Eroc A. If (call p(?:vj|| = k+1, then ||A|| = k, so 

h H . ;T 3<e>T ( v =et 5 Px^{A}3<e>T (v=et § Pt*) . Therefore, by 

a a 

an application of the rule for non-recursive procedure calls 
and lemma 7, f~ H , ? Pf call p(a:e)}Q. 
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Appendix III. A sample proof 

The 91-function (see [12]) is the function 
r x-10, if x > 100 

f(x) = l over the set of natural numbers. 

'"91, otherwise 

We 1'ix Lj and L ? to be languages for the natural numbers and 
construct a procedure in AlCL^L^] to compute this function: 

mccarthy (x:v) proc i_f v > 100 then x := v-10 

else begin new z; 

call mccarthy (z:v+ll); 
call mccarthy (x:z) end 

We will indicate how the formulas v>100{ call mccarthy 
(x:v)}x=v-10 and v<100{ call mccarthy (x:v)}x=91 may be proved. 

We first display a proof of a more general formula, 

u l=x § u 2 = v{caJLl_ mccarthy (x : v) }u 2 =v$ (v<100^x = 91)$ (v>100ox=v-10) . 

Let T denote a complete proof system for the natural numbers. 

Note : Implicit use of T and the rule of consequence is 

y 

indicated by ’algebra’. : 

I 

(1) u 2 =v§(v<100=>v-10=91)§(v>100^v-10=v-10){x:=v-10} 

u 2 =v$(v<100=>x=91)^(v>1003X=v-10) 

[axiom of assignment] 

(2) u 1 =x^u 2 =v§v>100.^.u 2 =v§( v<100dv-10=91)$(v>100ov-10=v-10) 

[T] 

(3) u 1 =x§u 2 =v§v>100{x:=v-10}u 2 =v§(v<100=x=91)$(v>100o X =v-10) 

[ (1) , (2) , rule of 


consequence] 
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(4) Ul -vf,(v<1003X=91)§(v>100DX=v-10) (begin end } 

u ? = vfi(v<1003X = 91)$(v>1003X=v-10) 

{axiom of compound 
statements] 

u ] =xSu 2 =v{ call r(x:v)}u 2 =v$(v<l 00r>x=91) $(v>100ax=v-10) 

[assumption] 

(6) u I =zSu 2 =v+ll( call r(z:v+ll)} 

u 2 =v+115(v<893z = 91)5(v>89=>z=v+1) 

[(5), rule of parameter 

substitution, algebra] 

(7) u 1 =z§u 2 =v{ call r(z:v+ll)} 

u 2 =v§( v<89oz=91)$(v>89oz=v+1) 

[(6), rule of variable 

u ? + ll 

substitution: —-, 

U 2 

algebra] 

(8) Uj= z5u 2 =v$u 2 <100( call r(z:v+ll)} 

u 2 = v§(v<893Z = 91)§(v>89=>z = v+1) 

(T,(7), rule of consequence] 

(9) u 7 <l00{ call r(z:v+11) }u 2 <100 

[axiom of invariance] 

(10) u I = zSu 2 =vSu 2 <100{ cal1 r(z:v+11) }u 2 <100 

({> (9)> rule of consequence] 

(11) u 1 =z^u 2 =vgu 2 <100{ call r(z:v+11)} 

u =vf, (v<89dz = 91)5 (v>893Z=v+1)^u o <100 

[ (8) , (10) , rule of 
conjunction] 


' 
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( 12 ) u 1 =xf,u 2 = z{ call r(x:z) }u 2 = z§(z<1003x=91)5 Cz>100ox=z-10) 

[ (5), rule of parameter 
substitution] 

(15) u j =x^iu = z{ call r (x:z)} 

u 3 =z§(z<1003X=91)§(z>100=x=z-10) 

[(12), rule of variable 

u 

substitution: —] 

u 2 

(14) u 1 =x§u 3 =z§u 2 <100§u 2 =v§( v<89=u 3 =91)§(v>89^u 3 =v+1) 

r (x:z) )u 3 = z8(z<100=>x= 91)§ (z> 1 00 dx=z -10) 

[T, (13), rule of 
consequence] 

U5) u 2 <100Su 2 =v$(v<89^u 3 =91)$(y>893u T =v+l){ call r(x:z)} 
u 2 <100§u 2 =v8(v<89ou 3 =91)^(v>89ou 3 =v+1) 

[axiom of invariance] 

(16) li i =x8u 3 =z8u 2 <1008u 2 =v8(v<89du 3 =91)5(v>893U 3 =v+1) 

{can. r (x:z))u 2 <l00$u 2 =v5 (v<89du 3 = 91)§(v>89du 3 =v+1) 

(T> (15), rule of 
consequence] 

(1/1 u i = x §u 3 = zf T u 2 < 10 0§u 2 =v5 (v<89du 3 = 91)§ ( v >89du 3 =v+1) 

r(x:z))u 2 <100§u 2 =v§(v<89ou 3 =91)§ 

(v>89ou 3 =v+1)8 t u 3 = z§(z<100dx=91)§(z>100dx=z-10) 

[(14),(16), rule of 
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( 18 ) [u 2 < 100 §u 2 =vS (vs89=u 3 = 91)8 (v>89r>u 3 =v+l)8 

u 3 = z§( z<100=x=91)8(z>100dx=z-10)] => 

[u 2 =v§( v^1003X=91)8(v>1003 X =v-10)] 

[T] 

(19) U 2 =x 5u 3 =z8u 2 sl00§u 2 =v^(vs893u 3 =91)8(v>893u 3 =v+1) 

(call, r (x : z) }u 2 =v§ (v<100=>x=91) 8 (v>100=x=v-10) 


C(17),(18),T, rule of 
consequence 1 

(20) x=x§z=z8u 2 <1008u 2 =v§(vs89dz=91)8(v>89oz=v+1) 

(caJJ. r (x: z) )u 2 =v§ (v<100=x=91) § (v>100=>x=v-10) 

[rule of variable 

substitution: — x ’ z ] 
u l ,u 3 

(21) u 2 =v$(v<89 = z = 91)S(v>89=>z=v+1)$u 2 <100 

{cal_l r(x:z) }u 2 =v§ (v<100r>x=91) § (v>100=>x=v-10) 

CT, (20), rule of 


consequence] 
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(22) u 2 =v§ (v^89 = z='91)§ (v>89 = z=v+l) §u 2 ^100 

( begin call r(x:z) end_}u 2 =v5 (v<1003X=91 ) § 
(v>100=x=v-10) [(4),(21), rule of 

compound statements] 

(23) u 1 =z^u 2 =v5u 2 ^100(begin call r(z:v+ll); call r(x:z) end ) 

u ? =v§ (v<100=>x=91)§ (v^* 100=>x=v-10) 

[ (11) , (22), rule of 

compound statements] 

(24) z=z5u o =v$u 2 <100{ begin call r(z:v+ll); call r(x:z) end } 

u 2 =v5(v<100=>x=91)5(v>100^x=v-10) 

[(23), rule of variable 

substitution: —] 

U 1 

(25) Uj = x§u 2 =vfiV<100§z = eo 

( begin call r(z:v+ll); call r(x:z) end } 
u 2 =v^ (v£100=>x = 91)$(v> 100=x=v -10) 

[(24),T, rule of 
consequence] 

(26) u^=x§u 2 =v§v^100 

( begin new z; call r(z:v+ll); call r(x:z) end } 
u 2 =v$ (v^100=>x = 91) ^ (v>1003X=v-10) 

[(25), rule of variable 
declarations] 

(27) u^=x§u ? =v{ i_f v>100 then x := v-10 

else begin new z; 

call r(z:v+11); 
call r(x:z) end } 

u 2 =v§ (v<100=>x=91) 5 (v> 100 dx=v-10) 

[ (3) , (26) , rule of 


conditional statements] 
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(28) u 1 =x^u-,=v{ call mccarthy (x: v) }u 2 =v§v<100=>x=91) § (v>100=>x=v-10) 

[ (1)- (27), rule of 
recursion] 


From this formula we may deduce the formulas 


and 


v>100{call mccarthy (x:v)}x=v-10 


v^l00{ call mccarthy (x:v)}x=91 

by using the formulas u 2 £ 100 { call mccarthy (x:v)} u 2 < 100. 
and u 2 >100( call mccarthy (x:v)}u 2 >100 and the rules of 
conjunction, variable substitution and consequence. 
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